Well I've done the same breach of protocol but not for any mission critical apps, I got in a BeOS box to show our multimedia people what it can do (better than you know who). But again we have had a management sanctioned Linux sniffer for our network so in a way they do realize the potential of open source. I do agree that the cost of the license v having knowledgable staff to manage a *nx system is hard to calculate.

Heck yeah that would have been the right thing to do. PHB's like this don't understand things until they are smacked across the face with them.

So when they get thousands of calls, "Why can't I read my email? People love me!" (repeat for apache, samba, bind, squid, ftpd, etc), something happens in their little skulls and they come back with, "Put that back online." Then just come back with, "But sir, your memo said to remove any Open Source tools on any system. It will take weeks to restore all the functions (aka overtime reading magazines) with closed enterprise buzzword-compliant solution systems, or I can use Open Source tools and be done in an hour." If they wish to build fires, go ahead and let them burn.

Well, realistically, after one or two services go down the calls will start pouring in. So target the internal ones, file server, web proxy, etc. first. The same point will get across that they cannot live without free software.

I got the feeling from _reading_the_article_ that the guy (who has made contributions to the kernel), felt that he and others that have linux skills at his place of employment should be doing _important_ work _not_ maintaining the mailserver. Basically he was palming the job off on the NT admins instead of hiring a dedicated admin for the linux box.

I can only speek from experiance.. but when I first started at my current Job writing software for manufacturing test equipment, Linux was a big NO NO! Management wanted to us Microsoft products ONLY! Today (Yes I'm working on a Sat) we are putting the final touches on mission critical tester that's running Linux.

How did I do it? Small steps. (And good Linux publicity in the press this year). I started writing software that would cross compile across Windows and Linux. Just to show that it can be done and done well. Then I started to push to get the software qualified as a backup plan incase the windows code was not stable enough. Once management started to see that the Linux version was identical to the Windows software and was 100% stable and saw they didn't have to pay the $250 MS tax for an NT license heads started turning.

Yet, these same people will often make ill-informed decisions about what software to run within a company, even over the objections of the people who have to suffer it.

I think this is often because people perceive being in a place of authority as automatically proving their superiority over their subordinates. Management requires different skills, not superior skills, and I don't think a lot of managers acknowledge that. "If I'm a manager, I must be smarter than you - that's how I got to be a manager". In some places, that's practically dogma. Challenge it, and you'll feel the wrath of managerial ego come crashing down on you. In this kind of atmosphere, it's easy to ignore the input of technical experts when it conflicts with what they hear from their peers(who, being managers, must be smarter than those irritating technical peons, some of whom have the audacity to have salaries an alarmingly large percentage of what the managers get.)

Or rather this is a common misconception in practice open source is often better supported than proprietary software.

While I'll agree, I will point out that management tends to have a different definition of support than us techies. We tend to think in information-gathering terms. 'Support', to us, means that we can get hold of whatever information is needed to fix the problems we encounter. Management tends to think in business structure terms. They want some business structure in place that will take responsibility for fixing or helping to fix problems.

In practice, as you noted, open-source style support is often superior, from the techie viewpoint. Business-structure support often puts you in touch with entry-level people who are used to giving out 'Please read the manual for me' level tech support, who don't actually run the software 'in anger', and who may very well be giving support out of pre-printed responses, rather than from their own knowledge and troubleshooting ability. From the 'information-gathering' standpoint, open-source style support, where you're in contact with your peers who are generally actually making real use of the software and have to deal with the same problems you do, is superior.

Aside from the business-structure blinders, I can see a little of where managers might sometimes be dubious. Managers often want to employ the kind of people who call tech support for 'read the manual to me'-style support. They're often cheaper, and less threatening to managerial ego. Open-source style support isn't geared towards the kind of hand-holding these people expect. You're normally expected to have read the relevant docs and tried to gather clues on your own before turning to a mailing list, usenet group, or whatever. Failing to do this will at best earn you a pointer to the relevant docs, and at worst will earn you a thorough flaming.

Now I'm not disagreeing with this state of things - it's not too much to ask of someone asking for free help that they do what research they're able to do on their own before imposing on others - I'm just pointing out that Open-source style support fails to pander to Managerial fantasies of doing Enterprise Computing in a Clue-Free environment. To carry it out to an extreme, many managers would like to be able to pull some moron off of the street, send him to some classes(or, even better, find someone who has already been through the classes and has a shiny certificate to show for it), and be sure that by buying the appropriate software and contracting the appropriate 'support', they can be assured of a stably-running operation, despite the deficiencies of their own people.

This is, of course, impossible(I can hear the managers now: "Don't say that!"). I'm exaggerating here, of course, but a fantasy very much like the above drives the heart of many a manager. When presented with the real-world "Your people can, with some study and work, learn to use the flexibility of open source software to your advantage" vs corporate marketing's "If you manage to find the right magic bullet, sold by the right company, you can have a stable, enterprise-wide computer system/network without having to hire all of those expensive and annoying techies", they're going to have an almost irresistable pull towards the latter.

I'm still in high-school, but it sounds like there is a serious lack of UNIX workers. Not only in your post, but in other ones as well, it sounds like there are plenty of NT guys to work with the Microsoft stuff, but that it would be hard to replace a UNIX guy. How true is that?

Finding UNIX people is always harder, but I think a lot depends on the market you're in. When I was in Wichita, KS, I was the UNIX guy for a good size company. Pretty much everyone else worked on the mainframe or did deskside support. Finding someone to replace me was a lot more difficult that finding a mainframe or NT guy.

However, since I've moved to Austin, TX, I've noticed that there are a lot more UNIX literate people around. The dotcoms I've worked for have all been Linux/Solaris based, at least on the back end.

Still, it's a lot harder to find good Unix admin's and system programmers. It seems like everyone and his duck has an MCSE. One thing I've noticed, though, is that the ones who have the MCSE did it as a career move; the ones who do UNIX learned it cause it was fun.

In a previous life with a large and famously conservative company (Siemens large-scale imaging), we needed to use gcc for several platforms, and we needed to convince the customers who used our system that gcc was A Good Thing.

After a check with out own IS operation, we found out that opens source was no different from commercial: the company and its customers wanted

The distribution on a CD

A good printed manual. and

A service contract

all together in the same envelope.

This was trivial to provide, and most customers didn't take the service contract because they already understood open source.

actually I think this was a package delivery firm... there was a similar story floating around at work a few months back.

Now if I were the person responsible for implementing this wild hair the FIRST thing I would do is to advise the users... after all, as an IT person the first priority is to keep the users functional, and they should be advised in advance of all planned outages. The way I'd do this is to forward the idiot's email to everyone in the company with the following notice (oh, and make sure you scale up the email node he's on, and give him and his management chain an increase in their mail quota;)

I did this afternoon. Management was in the room at the time too. One of our important customers is having a wierd problem with out server software, and we're trying to recreate it in the lab. Working on a single network segment wasn't recreating the problem so we wanted to have two with a wan link between them (like the customer)... while we were waiting for the wan people to show up I had one of the guys throw a second ethernet card into a spare lab machine while I disected the hubs. Then installed RH6.2, configuring both ehternet cards in the process, reboot, login and 'cat 1 >/proc/sys/net/ipv4/ip_forward'. done. While it was copying files from the cd management was on the phone with the CEO of the customer and even TOLD him "one of our developers is seting up a Linux box as a router between two ethernets to see if we can recreate it that way."

More likely, it was a problem with using mail files in/var/spool/mail (VSM). Even using dot locks and other tricks, it's still quite easy to corrupt the mail folder if there's potentially more than one process writing to the same file.

That's the big win with Maildirs (originally exclusive to qmail). Since each mail message is a separate file, and there is a strict protocol for creating/renaming/deleting those files, the possibility of mail folder corruption is zero. No lost messages.

I should be easy for almost any organization to switch from VSM to Maildirs, unless that org has a bunch of old-time Unix-heads that are totally in love with their existing mail tools and scripts.

For my company, it was trivially easy, because all the users access their mail through the web or IMAP.

There are plenty of tools for Maildirs (including maildirdeliver, which can be used with sendmail) at qmail.org [qmail.org].

What, putting the word 'idiot' makes it flamebait? What if he was an idiot? Thinking NT supports all networks still in use makes you an idiot in my book. Thinking any OS supports all networks still in use makes you one.

Watch this get modded down also, assuming any moderators hang out in this discussion anymore.

Read the article about the Washington Supreme Court upholding shrink wrap licenses. Even with commercial software no one is responsible. Read the EULA on any peice of software (commercial or otherwise) and i assure you it will have a clause in there about no waranty being provided with said software.

Your arguement doesn't hold water, however. Read any EULA. Every single one of them (even the GPL) has a clause about the software coming without waranty. So if Win NT decides to eat your database and you lose millions of dollars you can sue MS all you want, but you will lose. For proof of this read the article linked on slashdot about the Washington state supremem court upholding a EULA in exactly this type of situation. And since MS is located in Washington I'm assuming this does a lot to cover their asses with a nice precident.

Atleast the open source community doesn't pretend to give any gaurantees of stability, they just fix the bugs as they come up and say "oops!" Try getting Microsoft to admit that they made a huge mistake in some app.

Not to start a flamewar or anything, but I believe you already may have. Do you care to back that opinion up with any facts, or are you just hewing to your company's knee-jerk anti-GPL party line? Because if you just "agreee" because your boss told you to, then you missed the entire point of the article that we're discussing here.

I formed my own corporation whose solutions are linux based. We advertise it! We are proud of it!

When our clients and customers aproach us, they have already made the informed decision to go with an open source solution. There is no sneaking around. We replace expensive and buggy proprietary systems with open ones in the bright light of day!

We also get to educate those users and managers with questions about why our open solutions are better than certain companys' closed solutions.

If your running an RPM based system, you can use rpm -qf will tell you what package a file came from. rpm -V will verify the package and tell you any files installed by that package have been altered or removed.

I'm certain DPKG has similar capabilities, I just don't remember the commandline offhand.

Obviously this doesn't help with a completely custom compiled system. Most business do not "roll thier own" distro for their servers. They buy a commercial Linux distro (or use Debian). It saves time, and gives other advantages such as the above verify command.

(BTW. If you do a quick search around the net you can find "root kits" for most unixes (commercial and open source) that will replace common system binaries (passwd, ls , ps, etc) will "hacked" version. Similar type programs exist for most non-Unix systems (i.e. Back Oriface 2000).)

what's so hard about understanding the attitude? They just fear change. WinNT is like the comfortable old shoe. The shoe is raggy, torn up, on the verge of falling apart but you know the shoe. You love the shoe. The shoe makes you feel safe and comfortable, whereas linux is like a brand new sneaker. You haven't broken into it yet, it's too fancy, high tech and new compared to your good ol' shoe. They just didn't have time to break into the new sneaker.

The ethics are simple. An engineer is responsible towards his employer and his employers customers.

An engineers boss, and the bosses boss, etc, are irrelevant. They can say whatever they want and blabber on about 'corporate standards', but in the end, as long as you can justify the products you use with the fact that the 'official' crap Just Does NOT _WORK_, then you are being 'ethical'.

Last time our rogue installation of Samba came up on the discussion the 'bosses' tried to justify using the 'official' product by saying the 'official' support for the 'official' product, well, they were y'know, nice and so and they were really trying. Well, fine, sure they're trying, but for two and a half years their product has been unusable.

If a product works as advertized I have no problems with my company using it, but if the 'official' products do not work, and there are free replacements that _DO_ work, I dont care what the policymakers say. And Im prepared to defend that position as high in the corporate hierarchy as I have to.

But if a Windows NT server goes down, there are hundreds of thousands of MSCEs and hundreds of support channels (including servers that can be replaced with 6 hours notice).

Are there really "hundreds" are are there hundreds of copies of the same support channel? As for replacement what matters is not replacing the hardware or the system software but the applications and data on it. Of course if the software is faulty then a replacement isn't going to do much good. Added to which an in house "hot spare" probably makes more sense than something from a third party.

The fact of the matter is that it is an INTRINSIC property of open source that is must prove itself above and beyond that of commercial software simply because there is simply no legal recourse for companies who use it. I think it is perfectly understandable and reasonable for companies to accept commercial software above open source for this reason.

Or rather this is a common misconception in practice open souce is often better supported than proprietary software. Partly it's becuase no-one has a monoploy on providing support and partly because the authors take pride in their work. So far as legal recourse goes there is absolutly no issue at all.

I don't understand this attitude. If one package is broken you don't install a whole different OS! Get a mail server that guarantees mail delivery, like QMail!

Most likely the people involved don't understand the concept of the difference between an application and an operating system. As a result of so much MS propeganda which attempts to blur this important distinction.

should be easy for almost any organization to switch from VSM to Maildirs, unless that org has a bunch of old-time Unix-heads that are totally in love with their existing mail tools and scripts.

Shouldn't be too hard to get many of these mail tools to read Maildir format either...

For my company, it was trivially easy, because all the users access their mail through the web or IMAP. There are plenty of tools for Maildirs (including maildirdeliver, which can be used with sendmail) at qmail.org.

One thing still not available is are Windows programs which will read SMB mounted Maildirs.

The CIO of the Fortune 50 company for whom I work issued a memo to all employees that no Open Source would be used on any system in any manner. However, we did not immediately disable all systems company-wide and shut the whole thing down to remove the many Unix-standard tools that happen to be Open Source, and that run standard system services on every single Unix machine in the entire company. We just ignored him. Should we have shut down a few thousand Unix servers immediately, pending the approval of new non-Open replacement tools? Would that have been the ethical thing to do?

You'd have also had to yank all your internet connectivity:) Maybe what you should have done was confirmed it with them immediatly before switching off the network.

You're completely right: going behind a boss is asking for trouble. At the same time, smart management shouldn't simply ask for "their" solution, they should ask for the best solution. Sometimes that's Linux, sometimes it's NT, or BSD, or Be (...ok, I can dream, can't I?:). Of course, "should" doesn't mean it always happens (or at someplaces, *ever* happens).

I think the boss in the article is an example of a smart boss: his man got the job done timely and inexpensively, and he was cool with it.

When it comes down to it, when you lock yourself into one technology, you lock youself out of the best solution.

The point is, with closed source from some vendor who sells to anyone with the right amount of cash, it's UNLIKELY to contain a back door that will specifically target YOUR company, and it's even more unlikely that some disgruntled employee could convince said vendor to create a patch just to suit his desire for a back door. However with open source a back door can be readily customized to target YOUR company, and the source is right there available to anyone with a grudge. And a customized back door may well be able to go around any firewalls or other precautions in effect against outside attacks.

Several studies have concluded that about 80% of security risks come from INSIDE a company and are done by employees with an axe to grind, not from some outside hacker out for a lark.

I'm still in high-school, but it sounds like there is a serious lack of UNIX workers. Not only in your post, but in other ones as well, it sounds like there are plenty of NT guys to work with the Microsoft stuff, but that it would be hard to replace a UNIX guy. How true is that?

One could use the quick linux/bsd box as a quick prototype for the project, then switch to the OS That Shall Not Be Named when it is finally ready months later. When the pointy-haired supervisors complain about the eventual speed decrease, you can point out the special Rapid Application Development Prototyping method you use, and in a flash of brilliance it may occur to him that the prototype model is faster and may win him points with his supervisors for thinking of switching back to it.

Group Logic has documented several cases where the sendmail program running on the Linux server lost an e-mail message.

Umm, ever heard of qmail? Postfix? Exim? All better than sendmail. It kinda makes me wonder how well the NT servers that replaced the linux servers are configured. With sys-admins who don't know to properly configure sendmail (or replace it).

The ACM already created a Code of Professional Conduct in 1966 (no link, sorry), which has been revised a couple of times. The current version can be found on http://www.acm.org/constitution/code.html [acm.org]

In our computer manufacturing company, IT is unresponsive as a doorknob and worship at the feet of Gates. They own the infonet as a whole, but our group develops and maintains some of the more important internal applications on a couple of our own servers.

We found enough equipment lying around to put together a third server, asked IT to hook it into the Infonet (while there were only Windoze apps on it), then installed Linux and started developing with that. I assume IT could figure it out, if they look hard enough. But since our two NT servers have to be rebooted every day just to avoid problems, and whatever we're doing with the new server, it's as reliable as a Timex, if they know, they aren't griping.

Why? Ignoring bosses' orders can be ethical in a lot of cases. Company's policy has very little to do with ethics, and it's still a moral choice of a person to follow or to reject it.

I was using the term "ethics" in the sense of "Professional Ethics". As in: ethics n - the principles of conduct governing an individual or a group.

While there are exceptions, it is generally not ethical in the sense of "Professional Ethics" to not do as instructed by your employer. It is in violation of your implicit contract of pay for work as directed.

If you disagree with an employers edict to the point that you find that you cannot follow it, you should quit. I recognize that there are difficult choices to be made when suddenly losing your employment would endanger those who depend on your income. In those cases, perhaps you should do as instructed and register your objections. Remember that if you don't do as instructed and are found out you may also suddenly lose your employment under circumstances that are even less favorable to those that depend on your income (eg. you'll have a tougher time getting another job when fired for insubordination).

Following an ethical code can lead to difficult choices.

Moral is something else entirely. If an ethical system is in conflict with your morals, you shouldn't follow it, but morals and ethics are not identical.

I guess I could respect a "GNU ethics" that holds that freeing software is more important than deceiving your employer. But, I'd like to see it explained somewhere and codified so it could be critically examined.

I don't respect people doing just what they feel like as being right in situations that require an ethical judgement. I believe in people following ethical codes rather than just what seems right at the moment.

The problem may come to when something goes kablooie (even unrelated to the open source software) and the headhunters come flocking to put someone on the chopping block. If the software was from a large, dominant provider, the boss and anyone else who ought to be taking responsibility can just shrug and say 'Oh well, buggy as usual' and go on.

This is an excellent point, I think.

I do find it ironic that so many people in the discussion of this Article are appealing to liability concerns when we have the VERY recent slashdot article [slashdot.org] about how shrinkwrap warranties are being upheld.

However, what you are saying above is subtly different than this. You're saying that no one will hold you personally liable for selecting a "popular" solution (MS, Sun, IBM, etc.) vs. Open Source.

We can hope that as the reputation of Open Source improves; that after many success stories continue to accumulate and the reputation of shrinkwrapped solutions becomes tarnished by companies finding they have no recourse when things go "kablooie", that this situation might change. Management could feel more comfortable with supported solutions that are based on Open Source.

Ultimate, Open Source may offer some advantages in perceived reliability. A firm can commission specific audits on a system to help ensure that it meets their requirements with Open Source and if things do go "kablooie", it is easier to pay someone to fix it without junking the system in it's entirety.

At my workplace, we were using a Netscape proxy on an NT box. For some reason, it was crashing like 5 times a day:) We never did figure that one out because the boss heard about this great thing called Apache. Now we have outstanding uptime. He was so impressed that we are now in the process of replacing our fileservers with linux boxes.

I was using the term "ethics" in the sense of "Professional Ethics". As in: ethics n - the principles of conduct governing an individual or a group.

For me no specific "ethical code" can override the general ethics -- if some rules of professional conduct (or "GNU ethics" if such thing ever existed) contradict with general ethics that I accept, following the "specific" rule is unethical, no matter what. While I may be forced to do an unethical thing, it doesn't make it right.

Also I don't see why should I quit a job just because I don't want to follow all the bosses' words -- I am as much part of that work as he is, and if he doesn't quit his job because I disagree with him, why should I do that? There were a lot of situations in my life when managers were wrong, and they acknowledged that my actions were better for the benefit of the company/customers/whatever-thing-they-consider-imp ortant afterward.

The fact of the matter is that it is an INTRINSIC property of open source that is must prove itself above and beyond that of commercial software simply because there is simply no legal recourse for companies who use it

All commercial software is released under licenses that disclaim all responsibility of the manufacturer -- sometimes with the exception of defective media shipped.

Presumably that means that they trust you to do that job to the best of you ability. If this means that you use Linux, Apache and PostgreSQL rather than NT, IIS and MS SQL server to do that job then presumably you know what you are doing.

If they challenge you on your decisions and refuse to support them then *why* are you still working there?

Why would you work for an organisation who do not trust the judgement of their own employees? There are a lot of good employers out there who trust and value the skills of their employees.

I have had experience of attempting to get Open Source "infiltrated" into large IT solution companies.

My immediate manager was, thankfully, a techie at heart (A manager who actually *understands* what his underlings are doing is a rare find!).

Of course, I still had to *prove* to him that this Linux thing was reliable and was worth investigating. This was quite simple to do: I salvaged an old 486 from the stores (After all, what use does a 486 have?), installed the latest version of Redhat I had, and started developing on it.

As time went by, I ported various scripts and systems from a big, ugly DRS/6000 box which sat in the basement.

Eventually, the lil' ol' 486 was doing loads. My manager agreed, and we got a sexy Pentium-class server to host everything. We never looked back.

Unfortunately, getting it in the company *as a hole* is a lot more difficult. You have to counter all the usual arguments:

"It's free, so it can't be any good". "Where's the support?" "How can we sell it to customers without support? Who can we refer them to?"

The support argument is pretty fair. Most IT solution companies don't *want* to have to support a system once they have sold it. For example, if you sell a Solaris/Sun SPARC solution, the customer can simply call Sun direct when the machine breaks down. Easy.

We never did manage to convince the marketing people about the virtues of Open Source. Too stuck in their ways, afraid of change.... but that's the very nature of large IT companies.

Ranum says hiding the operating system from everyone, including the professionals who know how to maintain one, is a smart solution. Every system takes time to learn, and his company wants to make its Network Flight Recorder product simple to use. Ranum says, "The Unix heads hate NT, and the NT heads hate Unix, so our answer is that it's like a toaster: There are no user-serviceable parts inside." ------------

IMHO, this is a huge mistake. I have used NFR for a while, I like the older versions. They were great. But this attitude of Ranum's is why the program got screwed up, and why I no longer like it.

NFR is a IDS for those of you that do not know. A IDS takes some time to understand, and you have to know networking to use it right. By creating a IDS that any moron can use will mean that any moron will use it. And any moron will not know the difference between a attack they should worry about, and one that they can ignore. I don't want a easy to use IDS on my network, I want a good one.

Plus, the amount of useabilty that I lost with the newest version of NFR was huge. A prime example is that the only way to interface with it now is through a WIN32 interface. There is not way to access your NFR install from a UNIX box. Plus there are little things, like for instance that you cannot say see every packet from a given IP regardless of what sig matched it.

I think I should point out at this point to all of you saying "hell, yeah, you should have done exactly what he said" that the particular company in question is relied upon by nearly every business in this country in order to perform vital business functions, and you'd have all been screwed if we'd done it.:-)

And hell no, I'm not saying what company; they could be reading this.--

late post, but what the hell. In January this year I was fired from my Intranet admin and development job at Bain and Company, Inc. [bain.com] because I was using Perl and Apache. I now work for a much cooler company [guideguide.com] using mod_perl, MySQL, etc etc on Linux. I am much happier when I wake up in the morning now =)

Pretty soon after I left everything was transferred to an IIS box built to the approved corporate standard. There's too much Perl to throw out overnight, but future development will be ASP with Visual InterDev. (Odd that I could replace / replicate ASP stuff quickly but not the other way round...)

Even on NT, Apache ran without problems for nearly a year. Not a single crash. The average uptime on the NT server zoomed up to >30 days.

From what I hear, the IIS box has rolled over and died many times in the last few months. Still, at least it did so in the Approved Corporate Manner.

Complain all you want, the Outlook Web Client and the Calendar/Tasks/Contacts integration is REALLY clean.

One of the companies that I work with gave everyone Exchange mail accounts that are accessed with the Outlook Web Client. The almost universal reaction from the users was highly negative. They hate it and avoid using it whenever possible. Most of them prefer to use the normal versions of Eudora or Outlook.

I've done this as well. I've managed to sneak a Mandrake box in to run out database, and now that we're collecting and presenting the data on the net, I"m setting up a mandrake/apache server. Management doesn't check, and I don't tell them. My concern is, ultimately, could this be something that would get me fired. I would assume, since I'm setting up working solutions for minimal cash, they'd love it...but in business you never know.

At any rate, if we all did this with just one or two mission critical apps, even management would begin to understand that some open source software is BETTER than their high priced bretheren.-Jer

What's scary is that many people who were among the first Linux converts have been out in the workforce long enough to actually be the boss-- which helps Linux acceptance tremendously and will only get better in the future.

Also, as in any case where one needs to convince one's boss of the "right" thing to do there are a few things to keep in mind:

Bosses get the final decision No matter how much you might wish to do things otherwise, your boss does get final say in what happens-- even if he/she is wrong. Overriding your bosses final decision with your own is unprofessional and reduces your credibility the next time. (see below for more discussion)

Bosses need a high-level view Don't try to convince your nontechnical boss that Linux is better because of the way it works internally. Speak in terms of high-level views-- e.g. it's more reliable, it scales better, it's easier to manage, etc. Present this first and when they want more detail give it out in layers of progressively more information. E.g. it's more reliable because <insert feature appropriate to the discussion here>. If they still want more detail (rare) then you can start talking internals.

Know thy enemy Your opinions will count for a lot more if you know both sides of the issue. Damning testimony about the horrors of Exchange means a lot more coming from someone who's actually worked with it than someone who only knows sendmail. Study both the advantages of competing products as well as their disadvantages-- you'll be able to answer tough questions better this way.

Be patient Maybe it didn't work out this time-- try to find out why and on your own time research the areas where your solution was seen to be deficient. This may not be for technical reasons, but that doesn't automatically make them less valid. What can you do to assuage your boss's fears next time? You may need to learn some nontechnical skills to accomplish this, such as budgetting, business management, vendor relations, etc. It'll make you a more valuable employee and your opinions will be more respeceted next time.

Be accomidating Most reasonable supervisors will let their staff work on thier own "pet projects" if they can be assured that it's not taking them away from the business priorities. See if your boss will let you set up an old scrap PC with Linux as a test system. Assure him that it won't interfere with your work and BE SURE IT DOESN'T This will mean dropping the test system work when real work needs to be done. You can show him just how useful Linux is by pointing out how you and your buddies have been pounding on it for months with no trouble whereas this "other server" has been nothing but problems in the interim.

In short, "smuggling" is a bad idea-- unless your boss is completely closed-minded. (In this case, maybe it's time to dust off the resume and look for someplace with better bosses.) If you can convince your boss that it's better to go with an Open Source solution, maybe he'll be able to convince other bosses and it'll spread company-wide. This would eliminate the "non-standard" argument we've all heard so often.

It is very difficult to get out of breach of contract if the contract is worded correctly.

I have yet to see any sort of performance guarantee in ANY contract for a technology product that covers consequential damages. If you are able to get such guarantees, I would surely like to know from whom.

I put the very first official Open Source OS box on our network last week. It's the first step in finally joining our LAN with the Internet. There is still a lot left to do, but it's a good first step.

I'm the sole IT person at my company. We have a small LAN that includes some 30 Win 95 clients and two Novell 4.11 servers running IPX/SPx. That part was set up by my predecessor, and it actually works pretty well. As long as you ignore the usual 1-4 crashes per client per day due to the glories of Win 95, that is. At least the servers just hum along. Unless you try to change anything about the Novell GroupWise email system, in which case it more often than not will go berzerk until placated with the proper sacrifice: a long weekend at the office. But that's another story.

So anyway, a while back the CFO decided he wants us on the Internet. We already have our email handled by a dial-on-demand system that allows us to go to/from the Internet, and those who actually need to browse the Internet have modems on their clients, but he wants the full thing. Which is fine with me; like everyone else here, I love putting in new stuff.

So I do a little research. I'm a Linux user, so of course that's the first system I look into for the firewall server, primary and secondary DNS, and all that good stuff. But as I look around, I keep hearing about OpenBSD. It's secure, it's stable, and just about perfect for a server that will be on the Internet. So I get a copy and check it out.

Wow. It's everything I'd been told and more. The intallation was way cool. Granted, if I'd been a UNIX neophyte, it would have given me fits, but as someone who knows and is comfortable with UNIX, I thought it was pretty sweet. The second system I installed it on (yeah, probably like most of you, I find it fun to install new OS's, so I ended up installing it a dozen or so times on a handful of different systems that were laying around) had a flaky CD-ROM drive. So during the package installation, it flipped out, had to drop down to another protocol, and ended up not being able to install the first package. But after it installed all the others, it told me it hadn't installed that package, and would I like to try again? I said yes, and it merrily installed that package. Nicely done; much nicer than the typical Novell patch process, for example.

Anyway, I won't bore you with the details since you're probably more familiar with OpenBSD than I am. Suffice it to say that I'm very impressed with the way it comes up clean, just waiting for you to add only those services you actually need. No futzing around, turing off this and that. No admin tools that re-write your config files. Ah, elegance!

While it wouldn't be my first choice for a desktop OS, it's definitely my first choice for server OS's.

Oh, right, this story had a point other than "OpenBSD is cool," didn't it? The point is that OpenBSD is now running happily on an old Compaq Desqpro 2000 P-166 w/ 96 MB RAM, performing as our DHCP server (remember, we're on IPX/SPX internally, so we still need the basic infrastructure for IP).

Before I installed that server, I wrote a nice report for management, explaining some of the broad issues for Internet security, giving the highlights of the different available server OS's for handling firewall server functions, and recommending that we go with OpenBSD for all our Internet-related servers.

The CFO and Controller both read my report, and they've agreed whole-heartedly with me. They appreciated being given a chance to understand the issues (at an "executive" level, anyway). That has allowed them to follow my reasoning in choosing OpenBSD, and they're behind my choice 100%.

It feels darned good to have finally brought free software into my workplace.

Now if only I can convince them to go with Linux on the desktop someday, I'll be in bliss!

Although the popularity of open source among engineers is pleasing, this is not a step in the right direction. Open source software should be embraced by managers as well as engineers. This is because of a commonly pointed out flaw in GNU and Linux and other OSS (though some won't call it that) Many complain that OSS is just for techie geeks and will never hit the mainstream. Thus, the engineers are the expected crowd - they've been using open source for a while, and want to use it at work. If OSS is to make real progress, it has to be accepted by somebody other than techies.

I recently attended Novell's BrainShare, at which there were a suprising number of Linux sessions. At one of the larger sessions, I found a very ammusing, and very telling demonstration.

Instructor: "How many of you are running Linux in house?"

Well over 90% of the hands were raised.

Instructor: "How many of you did it with a mandate from management?"

I didn't see a single hand go up.

While we now have two official, approved Linux boxes in house, they got there because I installed them without any approval, and forced management to recognize they were providing needed services that were not being addressed elsewhere. There is no way they would have made it in any other way.

The standard boss-convincement mechanism is to write a business case - estimate the benefits and costs in a one-pager, with maybe several pages of backup data to accompany it. It's not just PHBs that need that - you're making effective use of your boss's time.

Unix systems being what they are, it's often pretty straightforward to put together a prototype in a short time, or point to URLs for a couple of similar projects that other people have done. This lets your business case say "Expand the demo that we did in an afternoon which did 80% of the functionality to a full system", which is a much stronger postition than "Start something unknown and untrusted from scratch", though of course the last 20% of the work takes much longer than the first 80%.

Getting approval to use open-source software for internal use should be easy, though it's more trouble if your company makes commercial software because of different open-source licenses (espe ially GPL) affecting the software you sell, if you're not careful about interfaces. But the more difficult part is getting approval to publish software you've written as open-source. Other than companies in the business of providing and supporting open-source software (e.g. RH, Cygnus, *linux, *bsd), I'd be interested in hearing people's experience getting open-source out of their companies.

Is it so obvious?This/. story [slashdot.org] talks about who is responsible when closed source software fails. To quote:

"Kinda answers the old open source FUD question 'who you gonna sue if something goes wrong?'. According to the WA courts, nobody." The opinion is available here, and a dissenting opinion by two of the judges is also available. "

LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT OR THE FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF MICROSOFT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

So if it's closed source, you have nobody to sue. If it's open source you have nobody to sue, but you can fix it yourself!

I'm going to qualify this. I am an MCSE and CCA, I professionally support Microsoft and Citrix based solutions. On my own I've been playing with Linux for a few years (on and off for about 3 or 4), but I have far more experience with NT 3.51/4.0 and some on Win2K (Pro, not server).

Now, I'm probably going to be working on my own as a consultant instead of for a firm, and for the project I'm looking at, I'm debating the merits of a Linux (more likely FreeBSD though) solution or an NT solution.

Now, the obvious advantages to the UNIX approach is stability. I like Exchange Server, it's easy to manage, pretty straightfoward, and pretty powerful. Complain all you want, the Outlook Web Client and the Calendar/Tasks/Contacts integration is REALLY clean.

It also has the advantage that when I leave, any moron can maintain the system (adding users, etc., not properly babysitting it).

Now, Exchange is really unstable, but stopping and restarting the services usually fixes things and only needs to be done every once in a while.

However, the stability and cost of a Linux approach appeals to me. My personal mail server (that serves mail for myself and a few friends) is a Linux system, and it works pretty reliably.

Here is my question:

I ideally would like to run the Linux or FreeBSD solution for stability. My concern is maintenance. No, I'm a reasonably competant programmer, so I could probably hack out some Windows tools to maintain the accounts (don't worry, I'll release them free as in beer, and even GPL them if I'm not TOO humiliated by my VB code), but I'm wondering if I should bother.

Are there good tools available for maintaining such a system? I haven't found any. I've found a few X11 based ones that I could probably adapt (even compile them for NT with an X Server), but will any have the ease of use?

Also, I've had a nightmare of a time trying to integrate a Linux and NT domain. I mean, I could move them to a straight Unix solution, SAMBA would handle the file sharing fine, but I need something that ANYONE can maintain. Somehow a collection of HTML pages doesn't seem like a good solution.

How would you go about integrating UNIX-like servers in a Windows environment? I can rule out moving the desktops to Linux, so I need everything to play nicely. Is LDAP the solution? How do you go about a project like this?

"- I don't see how management can possibly accept the word of the "community" as sacrosanct, given that at least in my experience people want *legal* assurance that they are getting into something stable. "

You know that is really true, but what you can't forget is that the supreme court just said if the companys selling the software used s shrinkwraped licencse, there weren't accountable. But even in the contracts that I am assuming most major business would want to get from companies. There have to be a least a 1000 diffrent ways for the software compny to weasel out of paying damages. Which is really sad because they made the software and if it goes wrong while you were doing everything the software told you too and it still took down your server. Than it HAS to be the software comapnies that messed up.

I guess I'm just a little worried about us accepting the term "open source smuggling" for this. Copyright infringement has already been pasted with the misleading demogagogic term "piracy" (Arrgh! Shiver me templates!). Won't "smuggling" be leveraged into another assault on the legitimacy of the movement?

I think this is a pretty risky practice. The fact of the matter is that while it may wholly depend on your place of employment, companies prefer to have some sort of legal guarantee of stability. Open source in commercial ventures has always seemed a little bit dodgy for me -- I don't see how management can possibly accept the word of the "community" as sacrosanct, given that at least in my experience people want *legal* assurance that they are getting into something stable. Sneaking open source past your boss is not a good idea. I don't think it is fair to whatever company you work for to involve themselves in some completely new architecture without giving them some guarantee of protection. Frankly, I think that the majority of the Slashdot audience is (no offense) a little bit deluded about open source. People seem to assume that open source implies correctness, elegance, reliability, perfection. I find that commercial solutions often provide just as good a solution and give your boss piece of mind. Open source is great...I just don't know how well it fits into a commercial setting.

I have seen a lot of arguments about Open Source. I am convinced that it is a good thing. I am, myself, enjoying a whole lot from the Open Source movement. However, to do it behind the bosses back... isn't that somewhat against ethics too? My 2 cents.

I don't think there are clear ethical guidelines in many of these situations. If the boss has stated flatly "NO OPEN SOURCE TO BE USED", then it's clearly unethical.

Why? Ignoring bosses' orders can be ethical in a lot of cases. Company's policy has very little to do with ethics, and it's still a moral choice of a person to follow or to reject it. The key is the responsibility -- if a person can be responsible for his action, does not want to push that responsibility to the boss and can defend his decision, he can do whatever he thinks is better.

Anyone remember the AT&T C compiler back-door? Now, THAT was a sneaky back-door, if ever there was one.

Then, there are all those woooonderful "easter eggs" that delight and amuse pointy-haired bosses around the world. Any one of those could be adding back-doors by the thousand, and you'd never know until someone opened one.

The point of Open Source is that it doesn't matter how good the engineer is. Under the licence, any other engineer can examine the source, locate such security economies and obliterate them with a 200 lb. sledge-hammer. With closed-source, you can't do that.

"But with closed-source, nobody can add such features, either!"

BEEP! Wrong. Binary patches aren't as easy as source patches, but they can be written. Gnutella is a good example of this. If an engineer was good ENOUGH, and had closed-source binaries, he or she could STILL add back-doors, only now they are exponentially harder to locate.

If these people are worried about the reliability of sendmail, then Exchange is going to be about the worst move they make.

OTOH, it sounds like the "single mail message lost" thing is more of an excuse than anything else. Sendmail can be a pain to manage.

I've just implemented a mail solution for escorting mail safely from the Internet to an internal Exchange Server using Postfix and LDAP. It's actually quite easy; everything works well, and can be administered from a Windows box with a GUI. (Admittedly, the GUI is a bit clunky, but it's still usable until better alternatives become available.) Users can have Internet ability granted or revoked, groups can be set up, and mail can be forwarded. The system even does virus checking on inbound E-mail!

In short: you don't have to sacrifice the reliability of Linux/*BSD in order to get ease of maintenance.

In most cases it's not requested as "I want an NT mail server". It's usually "I want one of those email thingies so I can send stuff. Make one."

In my opinion and my case the boss not knowing about what exactly the servers are doing is a good thing. If I tell him how I'm filtering email for ILOVEYOU we need to have a meeting and talk about it and explain it and think about it and.... meanwhile ILOVEYOU is still running around. Instead, I put the filter in and when he panicked because of the news at 11 I simply said "Oh, that cant come through our system".

Another example: I was told that I HAD to get the file servers (which were NT SP1 at the time) to stop going down. I said okay and stayed overnight. Moved one to Linux and Samba serving about 66 gigs. It stopped going down. I vaguely described patches:) Nobody knew about the change until one of the graphics guys tried to install Premiere on it and found a text logon. He literally jumped away from the console. I laughed, I cried... it was better than Cats.

Now, you are correct about being transferred and leaving behind a mess. They all know about the Linux servers now and they serve 550 gigs over SMB. What I am doing is making an "If this is opened I had better be DEAD" kit with passwords, services running, conf files, custom scripts, documentation, etc. along with phone numbers of people who can deal with the same stuff I did. I am going to explain how to move to NT servers as well. I have also explained that if they get a MCSE monkey in there they can move back to NT and get him to handle it. If you are in a standardized office that uses Exchange in corporate mail mode, duh... you have to run Exchange on your end too. I've been helping with a massive NT network at a freelance job, and while Linux and SMB and Sendmail would be better for some of this stuff, there is way too much staff rotation for me to even consider it.

Ok, I'll present you with a situation where exactly that happened, and you tell me:

The CIO of the Fortune 50 company for whom I work issued a memo to all employees that no Open Source would be used on any system in any manner.

However, we did not immediately disable all systems company-wide and shut the whole thing down to remove the many Unix-standard tools that happen to be Open Source, and that run standard system services on every single Unix machine in the entire company. We just ignored him.

Should we have shut down a few thousand Unix servers immediately, pending the approval of new non-Open replacement tools? Would that have been the ethical thing to do?

We talked to an engineer. We'll call him "Jim". Jim works at a major Linux vendor. He explains, "We had no downtime to speak of. Whenever something was wrong, it was because one of our staff screwed up. We had nothing to point fingers at."

Jim converted crucial parts of the company's network to run on the NT operating system. On the company's web page, crucial CGI scripts were given filenames like "webcgi.exe" and "download.dll".

"People stopped complaining," says Jim. "They saw a filename that clearly told them this was an NT system, and they assumed that they'd just have to try their transactions again."

Jim's boss wasn't aware of the NT system at press time, but knew that Jim had done something to reduce complaints. "It cost a lot more than whatever we used to have, but I don't really care."

installed FreeBSD on it. This Linux cousin is well-known and loved in the networking community because it's a descendant of the Berkeley Software Distribution (BSD)

Well said. I want more articles that give an unbiased opinion about both Linux and *BSD. I'm a Linux user myself, having never really used *BSD, but I, too, know that we are in the same boat; if, for example, FreeBSD, is successful, it benefits the free software movement as a whole.

Group Logic has documented several cases where the sendmail program running on the Linux server lost an e-mail message.

Well.. it's possible. This can probably not be compared to the horrors of the people who ran the mail systems at my former employer (it was MS Mail). Legends spoke of lost emails and messages that were days or even weeks late. They upgraded it, though... to MS Exchange;) I have no idea how it fares nowadays.

The folks who know Linux have better things to do than maintain the mail system

Well, what can I say:) Let those incompetent MCSE monkeys run the mail systems...

The problem may come to when something goes kablooie (even unrelated to the open source software) and the headhunters come flocking to put someone on the chopping block. If the software was from a large, dominant provider, the boss and anyone else who ought to be taking responsibility can just shrug and say 'Oh well, buggy as usual' and go on. If there's a "new" and "untried" thing sitting around it's an instant magnet for finger pointers. So a manager who's more worried about his job & perqs will either outlaw open source or go for the 'plausible deniability' solution by not looking too closely.

Ultimately, if you're working in a culture where blame and firings are the way problems are addressed, then you take your fine resume' and your marketable skillset and go on to the next job. You do have that, right, because you're smart enough to choose the right solution instead of the safe one.

Still, he says that his company is thinking seriously about converting its mail server back from Linux to Windows NT. Group Logic has documented several cases where the sendmail program running on the Linux server lost an e-mail message. While it's had few other problems with Linux, he says the software is still difficult for much of the staff to manage; Windows NT is just easier for most of them to use and reconfigure. According to Newberry, saving the cost of a Windows NT license just isn't worth it.

Switching from Linux/Sendmail to NT/Exchange to improve reliability!? What are they thinking? I've dealt with Exchange/NT environments and they are unreliable under high load. I've NEVER had similar problems with sendmail based systems, and I've been admining for over a decade. Someone needs to stop listending to the MS marketing hype. If the really want to go to a proprietary mail system, put in HP OpenMail at least.

However, to do it behind the bosses back... isn't that somewhat against ethics too?

I'm glad to see someone asking ethical questions.

That being said, what are the ethics involved? Remember that ethics are only those generally accepted codes of behavior.

I don't think there are clear ethical guidelines in many of these situations. If the boss has stated flatly "NO OPEN SOURCE TO BE USED", then it's clearly unethical. In the article the situations usually weren't so clear-cut.

Technical people should be allowed to perform their duties with the best tools for the job. Management can raise valid concerns against using Open Source (like, if the people who implemented it locally quit or died, who services this solution). These concerns can, today, be addressed, I think.

It might be unethical for management to dictate solutions without a good justification. If the "approved" solution is unnecessarily expensive and complex, requiring it may be a breach of management's responsibility to the shareholders or upper management. Of course, the fact that management is acting unethically doesn't justify unethical behavior on the part of others.

It's often discussed here and I'd like to see it discussed more. Technicians/Engineers/Programmers are badly in need of codified ethics. Does anyone know anywhere on the Net where this is discussed? Or proposals for what a code of ethics would contain?

Still, he says that his company is thinking seriously about converting its mail server back from Linux to Windows NT. Group Logic has documented several cases where the sendmail program running on the Linux server lost an e-mail message. While it's had few other problems with Linux, he says the software is still difficult for much of the staff to manage; Windows NT is just easier for most of them to use and reconfigure. According to Newberry, saving the cost of a Windows NT license just isn't worth it.

I don't understand this attitude. If one package is broken you don't install a whole different OS! Get a mail server that guarantees mail delivery, like QMail!

What makes you think there is legal recourse for commercial software? The DMCA and recent court rulings (see yesterday's/. article on shrink wrap liability disclaimers being upheld by the WA supreme court) pretty much put an end to any recourse by software purchasers.

It seems rather risky. Deliberately hiding stuff from your boss just isn't a good way to run a business.

It's one thing if s/he takes the attitude if it works, he doesn't care about the guys. It's another thing when he says, "I want an NT mail server" and you give him a Linux server, you're asking for trouble. In the really large organizations I've worked in, there is usually a push to standadize stuff. What happens when you get transfered and some MCSE suddenly has to maintain your BSD box?

On the whole though, I like the article. It seemed much more like actualy reporting than hyping one thing or another.

I liked the article, pretty clear and balanced. It made me think, though, about a couple of things.

Open Source is good for both developers and users alike. It's good for developers when they need to write programs or applications and might need to know how certain things work, or if they need to change or extend certain things in the open source software. It's good for users because of all the common reasons that we hear about all the time, about how it is secure because a backdoor would be spotted and how bugs can be spotted easily because the source is available.

But the story also talked about how someone in IT decided to use open source software, sometimes without knowledge of their supervisors and the company at large, to provide a solution. While it sounds like heroics, it also trigger thoughts of potential problems.

Imagine if one of these guys was a programmer who was able to put in a backdoor in the software source that was consequently compiled and put into production. Granted, someone with that kind of access would have other ways of putting in backdoors, not just in programs. But I think that to some extent this may be an issue. Companies may buy software from closed source vendors secure in the knowledge that at least the software doesn't have backdoors in it that was put in by someone who may have specific interest in doing so to break the company's security.

Put another way, if there's a security problem like a backdoor, it's better that it's a disinterested third-party than an employee who may or may not remain within the company, and many times, may even end up at a rival company. Besides, with a backdoor, who's liable? If it's closed source, it's obvious. With open source, there wouldn't be backdoors, but depending on the company's policy, there may be backdoors put in that they wouldn't know about, sometimes they wouldn't even know who might have put it in.

Granted, the potential of such a scenario is small if the company's IT policies are consistent and clear and actions well-documented. But, I still think that such things can and may have happened, and it's due to the availability of source.

So all I'm saying is, the company must decide clearly what they are going to do and strictly enforce it. If better solutions are available, they should be clear about all the possibilities. Politics, of course, will just throw it off completely. But IT professionals 'sneaking' open-source into their company just doesn't jive too well with me, even if the open source philosophy produces superior software.

I work for a mid-sized company of about 100 employees. The contract house I worked for had produced a Windows-based web site for them; I started with a Linux-based system that did a small part of their site.

The owner of the company noticed that I was far more responsive than the other people at the contract house, so he hired me as a programmer/manager to straighten things out.

The first thing I did was to propose that we change the web site from Windows to Linux. The original site was taking 4.5 seconds to pull up a page with no load. I did a demonstration that was instantaneous, and Windows' doom was sealed.

I will treasure the moment forever where I was in the room with my former boss and the owner of the company. The FB was claiming that I could get my neck wrung if Linux wasn't good enough for the job. I said that I'd used it elsewhere, and I knew it was. "Microsoft provides a level of acceptable mediocrity," saith the FB in a tone that made it clear that this was something good.

The owner exploded: "Our company does not seek mediocrity."

We've been running the Linux system for about a month, and so far it's exceeded company expectations and I've become a corporate hero for the first time in my life.

So don't underestimate bosses. Sometimes you can convince them to do the right thing.

I once tried to get a Linux box past the boss through "legit" channels, and had a major success. We were replacing an older-than-god Sun mail server, and I suggested a Linux box. At the time I think it was Slackware. Got it all set up, we moved it inot the network, and it worked fine. However, the boss decided to cover his ass, and bought an NT server and a commercial mail program that will remain nameless (you'll see why in a bit). I was miffed, but rather than sulk or smuggle, I got out the hex editor and disassembler. Two hours later, I had found 10 unbounded str* functions that lead to buffer overflows. Wrote up an exploit, and showed it to the boss. He didn't really believe it, but let me run the thing, and sure enough, it worked. Two hours and a little help from me and the now-classic AlephOne article later, he had written his own exploit on a different hole. At that point he sent the mail program back, demanded a refund, and there's a linux server there to this day.